Somewhat related and tangential to the other conversations .... Is it worth introducing a system property like "-Dtomcat.security.harden=true". (Personally not sold yet on the idea)
Then when set to true ... - It can go nuts with additional SecureLifecycleListener checks - It can disable all OOTB webapps (ROOT/docs/etc) (Which then requires a new filter on those webapps) - Other hardening checks (minimal error pages, server headers, ...) So from a security perspective, it's trivial to enable. But from a developer getting started perspective, the docs,etc are easy to see? -Tim On Thu, Jun 6, 2024 at 10:46 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > All, > > I'd like to remove the <!-- and --> around the SecureLifecycleListener > in conf/server.xml that we bundle with Tomcat distributions. > > Before I do so, are there any objections to making this change? > > Thanks, > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
